[Freeipa-users] Kerberos hanging approx. once a day

Alexander Bokovoy abokovoy at redhat.com
Wed Jul 22 09:22:41 UTC 2015 

On Wed, 22 Jul 2015, Torsten Harenberg wrote:
>Dear community,
>
>we just moved our infrastructure (about 200 node cluster plus about 30
>workstations) from NIS to FreeIPA (version 4.1.4 on FC 21).
>
>We have two IPA servers (called "ipa" and "ipa2" both paravirtualized on
>Xen4).
>
>Approx once a day, the Kerberos service on the primary server suddenly
>stops working and I am unable to re-start the service. Only a "full"
>reboot helps and during that, the Kerberos shutdown takes about 2
>minutes (unsure if it really finishes or if it's the final timeout of
>the shutdown script).
>
>Trying to collect as many log messages as possible:
>
>
>Jul 22 10:52:06 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info):
>AS_REQ (4 etypes {18 17 16 23}) 132.195.124.213: LOOKING_UP_CLIENT:
>host/proton.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE for
>krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE, Server error
>Jul 22 10:52:11 ipa.pleiades.uni-wuppertal.de krb5kdc[1114](info):
>AS_REQ (4 etypes {18 17 16 23}) 132.195.125.171: LOOKING_UP_CLIENT:
>host/wn161.pleiades.uni-wuppertal.de at PLEIADES.UNI-WUPPERTAL.DE for
>krbtgt/PLEIADES.UNI-WUPPERTAL.DE at PLEIADES.UNI-WUPPERTAL.DE, Server error
Looking at the Kerberos KDC code I see that LOOKING_UP_CLIENT is shown
when DAL driver returns something different than 'entry does not exist':

    errcode = krb5_db_get_principal(kdc_context, state->request->client,
                                    state->c_flags, &state->client);
    if (errcode == KRB5_KDB_CANTLOCK_DB)
        errcode = KRB5KDC_ERR_SVC_UNAVAILABLE;
    if (errcode == KRB5_KDB_NOENTRY) {
        state->status = "CLIENT_NOT_FOUND";
        if (vague_errors)
            errcode = KRB5KRB_ERR_GENERIC;
        else
            errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
        goto errout;
    } else if (errcode) {
        state->status = "LOOKING_UP_CLIENT";
        goto errout;
    }

Our DAL driver may return KRB5_KDB_DBNOTINITED, KRB5_KDB_SERVER_INTERNAL_ERR,
or KRB5_KDB_INTERNAL_ERROR which all may point towards 389-ds failures.

Do you have 389-ds actually operating? If you would install debuginfo
packages, what does 'pstack <pid of ns-slapd>' print?

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list